Summary

This article will be updated as additional information becomes available. Please check back here regularly for updates and new FAQ.

This article provides information and updates for a new class of attacks known as “speculative execution side-channel attacks.” It also provides a comprehensive list of Windows client and server resources to help keep your devices protected at home, at work, and across your enterprise.

On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel processors to varying degrees.This class of vulnerabilities are based on a common chip architecture that was originally designed to speed up computers. You can learn more about these vulnerabilities at Google Project Zero.

On May 21, 2018, Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read. The customer risk from both disclosures is low.

For more information about these vulnerabilities, see the resources that are listed under May 2018 Windows operating system updates, and refer to the following Security Advisories:

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. For more information about this vulnerability and recommended actions, see the following Security Advisory:

On August 14, 2018, L1 Terminal Fault (L1TF), a new speculative execution side channel vulnerability was announced that has multiple CVEs. L1TF affects Intel® Core® processors and Intel® Xeon® processors. For more information about L1TF and recommended actions, see our Security Advisory:

Note:We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

On May 14, 2019, Intel published information about a new subclass of speculative execution side-channel vulnerabilities known as Microarchitectural Data Sampling. They have been assigned the following CVEs:

Important: These issues will affect other systems such as Android, Chrome, iOS, and MacOS. We advise customers seek guidance from their respective vendors.

Microsoft has released updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. This may include microcode from device OEMs. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services.

Note: We recommend that you install all of the latest updates from Windows Update before you install microcode updates.

For more information about these issues and recommended actions, see the following Security Advisory:

On August 6, 2019 Intel released details about a Windows kernel information disclosure vulnerability. This vulnerability is a variant of the Spectre Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.

Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).

Steps to help protect your Windows devices

You may have to update both your firmware (microcode) and your software to address these vulnerabilities. Please refer to the Microsoft Security Advisories for recommended actions. This includes applicable firmware (microcode) updates from device manufacturers and, in some cases, updates to your antivirus software. We encourage you to keep your devices up-to-date by installing the monthly security updates.

To receive all available protections, follow these steps to get the latest updates for both software and hardware.

Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatically delivered to you. However, you should still verify that they’re installed. For instructions, see Windows Update: FAQ

Install available firmware (microcode) updates from your device manufacturer. All customers will have to check with their device manufacturer to download and install their device specific hardware update. See the "Additional resources" section for a list of device manufacturer websites.

Note

Customers should install the latest Windows operating system security updates from Microsoft to take advantage of available protections. Antivirus software updates should be installed first. Operating system and firmware updates should follow. We encourage you to keep your devices up-to-date by installing the monthly security updates.

Affected chips include those that are manufactured by Intel, AMD, and ARM. This means that all devices that are running Windows operating systems are potentially vulnerable. This includes desktops, laptops, cloud servers, and smartphones. Devices that are running other operating systems, such as Android, Chrome, iOS, and macOS, are also affected. We advise customers who are running these operating systems to seek guidance from those vendors.

At the time of publication, we had not received any information to indicate that these vulnerabilities have been used to attack customers.

Starting in January 2018, Microsoft released updates for Windows operating systems and the Internet Explorer and Edge web browsers to help mitigate these vulnerabilities and help to protect customers. We also released updates to secure our cloud services. We continue working closely with industry partners, including chip makers, hardware OEMs, and app vendors, to protect customers against this class of vulnerability.

We encourage you to always install the monthly updates to keep your devices up-to-date and secure.

We will update this documentation when new mitigations become available, and we recommend you check back here regularly.

Microsoft released a security update for the Windows operating system on July 9, 2019 to help mitigate this issue. We held back documenting this mitigation publicly until the coordinated industry disclosure on Tuesday, August 6, 2019.

Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically. Note that this vulnerability does not require a microcode update from your device manufacturer (OEM).

For more information about this issue, see the following Security Advisory and use scenario-based guidance outlined in the Windows guidance for Clients and Server articles to determine actions necessary to mitigate the threat:

Intel has released a microcode update for recent CPU platforms to help mitigate CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130. The May 14, 2019 Windows KB 4093836 lists specific Knowledge Base articles by Windows OS version. The article also contains links to the available Intel microcode updates by CPU. These updates are available via the Microsoft Catalog.

Note: We recommend that you install all of the latest updates from Windows Update before you install any microcode updates.

We’re happy to announce that the Retpoline is enabled by default on Windows 10, version 1809 devices (for client and server) if Spectre Variant 2 (CVE-2017-5715) is enabled. By enabling Retpoline on the latest version of Windows 10, via the May 14, 2019 update (KB 4494441), we anticipate enhanced performance, particularly on older processors.

Customers should ensure previous OS protections against the Spectre Variant 2 vulnerability are enabled using the registry settings described in the Windows Clientand Windows Serverarticles. (These registry settings are enabled by default for Windows Client OS editions but disabled by default for Windows Server OS editions). For more information about “Retpoline”, see Mitigating Spectre variant 2 with Retpoline on Windows.

Note: Windows Server 2008 SP2 now follows the standard Windows servicing rollup model. For more information about these changes, please see our blog Windows Server 2008 SP2 servicing changes. Customers running Windows Server 2008 should install either 4458010 or 4457984 in addition to Security Update 4341832, which was released on August 14, 2018. Customers should also ensure previous OS protections against Spectre Variant 2 and Meltdown vulnerabilities are enabled using the registry settings outlined in the Windows Client and Windows Server guidance KB articles. These registry settings are enabled by default for Windows Client OS editions but is disabled by default for Windows Server OS editions.

August 2018 Windows operating system updates

On August 14, 2018, L1 Terminal Fault (L1TF)was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about L1TF and a detailed view of affected scenarios, including Microsoft’s approach to mitigating L1TF please see the following resources:

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.

For more information about this vulnerability, affected products, and recommended actions, see the following Security Advisory:

Intel recently announced that they have completed their validations and started to release microcode for recent CPU platforms related to Spectre Variant 2 (CVE 2017-5715 “Branch Target Injection”). KB4093836 lists specific Knowledge Base articles by Windows version. The article contain links to the available Intel microcode updates by CPU.

June 2018 Windows operating system updates

On June 12, Microsoft announced Windows support for Speculative Store Bypass Disable (SSBD) in Intel processors. The updates require corresponding firmware (microcode) and registry updates for functionality. For information about the updates and the steps to apply to turn on SSBD, see the "Recommended actions" section inADV180012 | Microsoft Guidance for Speculative Store Bypass.

May 2018 Windows operating system updates

In January 2018, Microsoft released information about a newly discovered class of hardware vulnerabilities (known as Spectre and Meltdown) that involve speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21, 2018 Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities that are related to the Spectre and Meltdown issues that are known as Speculative Store Bypass (SSB) and Rogue System Registry Read.

The customer risk from both disclosures is low.

For more information about these vulnerabilities, see the following resources:

Follow the instructions that are outlined in KB 4073119 for Windows Client (IT Pro) guidance and KB 4072698 for Windows Server guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.

Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from Catalog if it was not installed on the device prior to upgrading the OS. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

We will offer additional microcode updates from Intel for the Windows operating system as they become available to Microsoft.

Follow the instructions outlined in KB 4073119 for Windows Client (IT Pro) guidance to enable usage of IBPB within some AMD processors (CPUs) for mitigating Spectre Variant 2 when you switch from user context to kernel context.

Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x86-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Starting in March 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related knowledge base article for technical details and the "FAQ" section.

This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows. This vulnerability is documented in CVE-2018-1038. Users must apply this update to be fully protected against this vulnerability if their computers were updated on or after January 2018 by applying any of the updates that are listed in the following Knowledge Base article:

February 2018 Windows operating system updates

The following security updates provide additional protections for devices running 32-bit (x86) Windows operating systems. Microsoft recommends customers install the update as soon as available. We continue to work to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates.

Note Windows 10 monthly security updates are cumulative month over month and will be downloaded and installed automatically from Windows Update. If you have installed earlier updates, only the new portions will be downloaded and installed on your device. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

January 2018 Windows operating system updates

Starting in January 2018, Microsoft released security updates to provide mitigations for devices running the following x64-based Windows operating systems. Customers should install latest Windows operating system security updates to take advantage of available protections. We are working to provide protections for other supported Windows versions but do not have a release schedule at this time. Please check back here for updates. For more information, see the related Knowledge Base article for technical details and the "FAQ" section.

Use the following links to check with your device manufacturer for firmware (microcode) updates. You will have to install both operating system and firmware (microcode) updates for all available protections.

Microsoft provides third-party contact information to help you find additional information about this topic. This contact information may change without notice. Microsoft does not guarantee the accuracy of third-party contact information.

Addressing a hardware vulnerability by using a software update presents significant challenges and mitigations for older operating systems and can require extensive architectural changes. We are continuing to work with affected chip manufacturers to investigate the best way to provide mitigations. This may be provided in a future update. Replacing older devices that are running these older operating systems and also updating antivirus software should address the remaining risk.

Notes

Products that are currently out of both mainstream and extended support will not receive these system updates. We recommend customers update to a supported system version.

Speculative execution side-channel attacks exploit CPU behavior and functionality. CPU manufacturers must first determine which processors may be at risk, and then notify Microsoft. In many cases, corresponding operating system updates will also be required to provide customers more comprehensive protection. We recommend that security-conscious Windows CE vendors work with their chip manufacturer to understand the vulnerabilities and applicable mitigations.

We will not be issuing updates for the following platforms:

Windows operating systems that are currently out of support or those entering end of service (EOS) in 2018

Windows XP-based systems including WES 2009 and POSReady 2009

Although Windows XP-based systems are affected products, Microsoft is not issuing an update for them because the comprehensive architectural changes that would be required would jeopardize system stability and cause application compatibility problems. We recommend that security-conscious customers upgrade to a newer supported operating system to keep pace with the changing security threat landscape and benefit from the more robust protections that newer operating systems provide.

Updates to Windows 10 for HoloLens are available to HoloLens customers through Windows Update.

After applying the February 2018 Windows Security Update, HoloLens customers do not have to take any additional action to update their device firmware. These mitigations will also be included in all future releases of Windows 10 for HoloLens.

For your device to be fully protected, you should install the latest Windows operating system security updates for your device and applicable firmware (microcode) updates from your device manufacturer. These updates should be available on your device manufacturer's website. Antivirus software updates should be installed first. Operating system and firmware updates can be installed in either order.

You will have to update both your hardware and your software to address this vulnerability. You will also have to install applicable firmware (microcode) updates from your device manufacturer for more comprehensive protection. We encourage you to keep your devices up-to-date by installing the monthly security updates.

In each Windows 10 feature update, we build the latest security technology deep into the operating system, providing defense-in-depth features that prevent entire classes of malware from impacting your device. Feature update releases are targeted twice a year. In each monthly quality update, we add another layer of security that tracks emerging and changing trends in malware to make up-to-date systems safer in the face of changing and evolving threats.

Make sure that your devices are up-to-date by having the latest security updates from Microsoft and your hardware manufacturer. For more info about how to keep your device up-to-date, see Windows Update: FAQ.

Continue to practice sensible caution when you visit websites of unknown origin, and do not remain on sites that you do not trust. Microsoft recommends that all customers protect their devices by running a supported antivirus program. Customers can also take advantage of built-in antivirus protection: Windows Defender for Windows 10 devices, or Microsoft Security Essentials for Windows 7 devices. These solutions are compatible in cases in which customers can’t install or run antivirus software.

To help avoid adversely affecting customer devices, the Windows security updates released in January or February have not been offered to all customers. For details, see the Microsoft Knowledge Base article 4072699.

Intel has reported issues that affect recently released microcode that is intended to address Spectre Variant 2 (CVE-2017-5715 – “Branch Target Injection”). Specifically, Intel noted that this microcode can cause “higher than expected reboots and other unpredictable system behavior” and also that situations such as this may cause “data loss or corruption.” Our own experience is that system instability can, in some circumstances, cause data loss or corruption. On January 22, Intel recommended that customers stop deploying the current microcode version on affected processors while they perform additional testing on the updated solution. We understand that Intel is continuing to investigate the potential impact of the current microcode version, and we encourage customers to review their guidance on an ongoing basis to inform their decisions.

While Intel tests, updates, and deploys new microcode, we are making available an out-of-band (OOB) update, KB 4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch Target Injection.” In our testing, this update has been found to prevent the behavior described. For the full list of devices, see Intel’s microcode revision guidance. This update covers Windows 7 (SP1), Windows 8.1, and all versions of Windows 10, for client and server. If you are running an impacted device, this update can be applied by downloading it from the Microsoft Update Catalog website. Application of this payload specifically disables only the mitigation against CVE-2017-5715 – “Branch Target Injection.”

As of January 25, there are no known reports to indicate that this Spectre Variant 2 (CVE-2017-5715) has been used to attack customers. We recommend that, when appropriate, Windows customers re-enable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device.

No. Security Only updates are not cumulative. Depending on the operating system version you are running, you must install the all released Security Only updates to be protected against these vulnerabilities. For example, if you are running Windows 7 for 32-bit Systems on an affected Intel CPU you have to install every Security Only update starting from January 2018. We recommend installing these Security Only updates in the order of release.

Note An earlier version of this FAQ stated incorrectly that the February Security Only update included the security fixes released in January. In fact, it does not.

No. Security update 4078130 was a specific fix to prevent unpredictable system behaviors, performance issues, and unexpected restarts after the installation of microcode. Applying the February security updates on Windows client operating systems enables all three mitigations. On Windows server operating systems, you still have to enable the mitigations after appropriate testing is performed. See Microsoft Knowledge Base article 4072698 for more information.

Microsoft is making available Intel validated microcode updates around Spectre Variant 2 (CVE-2017-5715 “Branch Target Injection”). To get the latest Intel microcode updates through Windows Update, customers must have installed Intel microcode on devices running a Windows 10 operating system prior to upgrading to the Windows 10 April 2018 Update (version 1803).

The microcode update is also available directly from the Update Catalog if it was not installed on the device prior to upgrading the system. Intel microcode is available through Windows Update, WSUS, or the Microsoft Update Catalog. For more information and download instructions, see KB 4100347.

To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script, see KB4074629.

On June 13, 2018, an additional vulnerability involving side-channel speculative execution, known as Lazy FP State Restore, was announced and assigned CVE-2018-3665. There are no configuration (registry) settings needed for Lazy Restore FP Restore.

Bounds Check Bypass Store (BCBS) was disclosed on July 10, 2018 and assigned CVE-2018-3693. We consider BCBS to belong to the same class of vulnerabilities as Bounds Check Bypass (Variant 1). We are not currently aware of any instances of BCBS in our software, but we are continuing to research this vulnerability class and will work with industry partners to release mitigations as required. We continue to encourage researchers to submit any relevant findings to Microsoft’s Speculative Execution Side Channel bounty program, including any exploitable instances of BCBS. Software developers should review the developer guidance that has been updated for BCBS at https://aka.ms/sescdevguide.

On August 14, 2018, L1 Terminal Fault (L1TF) was announced and assigned multiple CVEs. These new speculative execution side-channel vulnerabilities can be used to read the content of memory across a trusted boundary and, if exploited, can lead to information disclosure. There are multiple vectors by which an attacker could trigger the vulnerabilities depending on the configured environment. L1TF affects Intel® Core® processors and Intel® Xeon® processors.

For more information about this vulnerability and a detailed view of affected scenarios, including Microsoft’s approach to mitigating L1TF please see the following resources:

Customers using 64-bit ARM processors should check with the device OEM for firmware support because ARM64 operating system protections that mitigate CVE-2017-5715 - Branch target injection (Spectre, Variant 2) require the latest firmware update from device OEMs to take effect.

As soon as we became aware of this issue, we worked quickly to address it and release an update. We strongly believe in close partnerships with both researchers and industry partners to make customers more secure, and did not publish details until Tuesday, August 6, consistent with coordinated vulnerability disclosure practices.